Puppylinux is a small, but very powerful, single user distribution, running as root is the only way to do it.
When running from a live CD/DVD, as I always do, there is no other way to access a HD or a memory stick, than as root. An alternative would be to use the same user name as owner of the devices, but then, what is the point of a puppy if it isn't portable?
When that is said, I also have to mention the number of times I have uploaded files to my /home-directory at the university, and forgot to change the permissions, making my own files inccessible from an on-site pc, where safety issues prevent me from booting my dpup...
Puppylinux is small because it is intended for a single-user, anyone can carry it on a CD/DVD or a USB stick, it 'works right out of the box', with a minimum of setup. I see no need for puppylinux as a multi-user distribution whatsoever!
I really think that people who need a multi-user puppy, should maybe look for another distribution? Why complicate life by adding more code to a puppy?
Although I am the only one accessing my machines, my multi-GB Debian on HDs is run as multi-user. Very sensible, not only because of all the hazzle of installing such a massive distribution, but to avoid having several users spending their remaining days with configuring and setting up, potentially thousands of applications.
I feel safe! I don't have a home page in my dpup's browser, I usually turn on privacy mode when I use it, my internet provider has firewalls, they give me a new IP every time I log on, I have a firewall, I run from RAM, no savefile on HD, but I can access all devices plugged in, if needed.
I don't have the need for communicating to god knows who, through our new 'social media', all kind of private information that might be useful for some attack on my privacy.
To feel even more safe, there are always the applications that hide your IP, let you browse from an anonymous 'safe' account, through TOR if you want that, and probably lots of other safe ways to access the internet. I don't use them, and I don't know anything about them. (Yet.)
Chroot, anyone?

Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cyber-criminals when banking online. The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows: 'If you are using the internet for a commercial transaction, use a Linux boot up disk - such as Ubuntu or some of the other flavours. Puppy Linux is a nice small distribution that boots up fairly quickly. It gives you an operating system which is perfectly clean and operates only in the memory of the computer and is a perfectly safe way of doing Internet banking'. Source

N.B. choice of operating system becomes irrelevant if recommended security precautions are not applied

*this keeps someone from killing lock with ctrl+alt+backspace and logging back in automatically and also gives the option on bootup to enter 'root' and 'password'.

Create Password
Boot Puppy

ctrl+alt+F2 (because my eyes are going and this is easier to read than in a console)

"
puppypc login :root
Password : well known and published password
#passwd
Changing password for root
New password : a new and unpublished password
Retype password : a new and unpublished password
Password for root changed by root
"

ctrl+alt+F3 (back to GUI)(F4 for some puppies)

Open terminal and type: passwd

Create a user to run applications.

Open terminal and type: cd / && mkdir home

Think of your new user name and then type in console: cd /home && mkdir YourNickHere

Puppy has a personal wiki called DidiWiki, with its own inbuilt HTTP server, so is accessed from a web browser, either locally or over a network/Internet. What we do in this case is run DidiWiki as user "spot". We can run an individual server application as a restricted non-root user, even though you yourself are still logged in as root.